Killing the Internet with an NSTIC – Citizen Registry in Corp/Gov ID systems

I used to not be wary of expressing myself or utilizing the internet, however now that there is going to be a centralizing federal/private integration of online identity security measures, in the National Strategy for Trusted Identities in Cyberspace (NSTIC), I am terrorized by the idea.

A couple of months ago, I spoke with a security researcher at a conference about the NSTIC. He questioned the need for an intermediary to manage users’ identity information; he asked why we don’t just do this at the user’s endpoint, eliminating the need for the user to trust an external party. This is a good place to begin a discussion about the NSTIC architecture.

An intermediary, usually referred to as an Identity Provider (IdP), represents the subject (user) in transactions. In the NSTIC model, the IdP is operated by a third party that is chosen by the user. A user would want to choose an IdP operated by an entity they trust, one that is very secure and reliable, and is accredited for the strength of authentication required for the range of transactions the user expects to require. Depending on their need for high-assurance identity for the kinds of things they do online, they might also want to choose an IdP that is accredited for that level of trust.

The alternatives to a third-party identity provider are either to operate the identity system without an IdP at all or with one operated directly by the user.

In the absence of an identity provider, we are basically where we are now. Users are forced to keep track of a large number of credentials, typically one for each service, including at least an identifier and either a password or some other authentication device such as a token. The management of these credentials can be a substantial burden. If they use passwords for authentication, there is a tendency to use the same password on multiple services, placing all at risk if any of them is compromised. If the user uses hardware tokens or smart cards, they would need to carry as many as necessary and keep track of which to use in each situation. Of course, these tokens could be standardized and used for multiple services but that would put some token service in a de facto position as an IdP.

An identity provider could be operated directly by the user, probably directly on the user’s endpoint. This solves the credential management problem but introduces new problems if that endpoint is compromised, lost or damaged. The risk of compromise can be mitigated by encrypting the credentials on the endpoint, but would still be vulnerable to a multi-pronged attack (key logging and theft of the laptop, for example). Loss or damage to the endpoint can be mitigated by backing up the credentials securely, but the track record of the general public when it comes to such best practices is poor. This also limits the user to the use of that endpoint for all transactions, which becomes a problem for use cases that don’t involve traditional endpoints.

An IdP also performs the important privacy function of providing “safety in numbers.” As part of its function, the IdP substitutes the identifier used to authenticate to it with an opaque per-relying party identifier. This opaque identifier, in the absence of attributes identifying the user, provides pseudonymity and discourages correlation of the user across multiple services. But suppose instead that the IdP represents exactly one user. In that case, the choice of IdP alone provides a correlation handle that defeats pseudonymity. On the other hand, if there is only a small number of IdPs from which to choose, the likelihood that there is one with a high degree of user trust decreases and the concentration of trust in a few parties becomes a concern. For this reason, there is a “sweet spot” between having a few IdPs with many accounts or alternatively having individual IdPs per user or perhaps per family.

An IdP can also fulfill an important security function by monitoring usage patterns for suspicious activity. Suppose I authenticated from California and a few minutes later authenticated from someplace far away: I’d like to get an alert about that, much as my credit card provider alerts me of suspicious activity. This makes some people nervous on privacy grounds, so perhaps they want to use an IdP that doesn’t do that. That’s another reason that IdP choice is important. Overall, while the use of an intermediary introduces new security risks, it provides new opportunities to improve security as well.

National Strategy for Trusted Identities in Cyberspace
Creating Options for Enhanced Online Security and Privacy
DHS
June 25, 2010

Executive Summary
Cyberspace – the interdependent network of information technology components that underpins
many of our communications – is a crucial component of the Nation’s critical infrastructure. We use cyberspace to exchange information, buy and sell products and services, and enable many online transactions across a wide range of sectors, both nationally and internationally. As a result, a secure cyberspace is critical to the health of our economy and to the security of our Nation. In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.

One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities. Spoofed websites, stolen passwords, and compromised login accounts are all symptoms of an untrustworthy computing environment. This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions.

The Strategy’s vision is:
Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation…
Universal application of FIPPs provides the basis for confidence and trust in online transactions.

Following on the heels of last week’s Federal Funding Opportunity (FFO) for NSTIC pilot programs, this new report lays out a path to establish what I have long viewed as the “long pole in the tent” of NSTIC implementation: the establishment of a privately-led steering group to tackle the complex policy and technical issues needed to create the Identity Ecosystem envisioned by the NSTIC.

The recommendations in this new report were directly influenced through our outreach to stakeholders like you. Last summer we sought feedback from stakeholders on how to create and establish a private sector-led Identity Ecosystem Steering Group. Through responses to a Notice of Inquiry (NOI) and a public workshop, we were able to collect invaluable insight from a broad cross section of stakeholders. Over 270 participants attended a June 9-10 workshop, and 57 stakeholders from private industry, consumer advocacy groups, privacy protection organizations, state government, and members of the financial and health care communities provided formal responses to the NOI.

This new report summarizes the responses and insights we received from across the community, and importantly, provides the government’s recommendations on the establishment of an Identity Ecosystem Steering Group that can bring together all NSTIC stakeholders – including the private sector, advocacy groups, public sector agencies and other organizations – to jointly create an online environment where individuals and organizations will be able to better trust one another, with minimized disclosure of personal information.

The new report contains several key recommendations, including:

The Steering Group should be established as a new organization that is led by the private sector in conjunction with, but independent of, the federal government.

The group should be structured to safeguard individual privacy and the underrepresented, through mechanisms like a special privacy coordination committee and an appointed ombudsman – as well as a charter which embraces openness, transparency, balance, consensus, and harmonization as key operating principles.

An administrative body to support the Steering Group should be initially funded by the government through a competitive two-year grant – to catalyze its formation and ensure there are no barriers to participation. After a period of initial government support, the steering group should establish a self-sustaining structure capable of allowing continued growth and operational independence.

The report also includes a recommended charter to help jumpstart the Steering Group’s initial activities.

NIST intends to issue a Federal Funding Opportunity (FFO) for an organization to convene the Identity Ecosystem Steering Group and provide it with ongoing secretarial, administrative and logistical support. This will enable the group to convene its first formal meeting late this spring. We expect to publish the FFO in the next two weeks.

NIST is also planning a follow-on workshop on March 15, 2012 at the Department of Commerce in Washington, D.C., to convene stakeholders, review the findings of the report and jumpstart NSTIC implementation activities in advance of the formal creation of the Steering Group later this spring. Specifically, we want to kick off a discussion on the governance recommendations and charter amongst stakeholders – ensuring that the first formal meeting of the Steering Group focuses less on the structure of the Group, and more on an actual work plan to tackle creation of the Identity Ecosystem Framework.

The Internet has become indispensable for most of us. Shopping. Connecting with friends. Banking. Blogging. Reviewing medical records. We use it for just about everything.

Unfortunately, on the Internet as in life, not everyone is looking out for our interests. Cyber crime costs individuals and businesses billions of dollars every year. An estimated 11.7 million Americans were victims of identity theft of some kind including online identity theft over a recent two-year period.

A recent Federal Bureau of Investigation report stated that “identity theft has emerged as a dominant and pervasive financial crime that exposes individuals and businesses to significant losses and undermines the credibility and operation of the entireU.S.financial system.”

A contributing factor is the unmanageable number of passwords people must remember to access their online accounts. Many people don’t even try; they just re-use the same ones for all of their accounts, making it that much easier for identity thieves.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions.

The Strategy calls for the development of interoperable technology standards and policies – an “Identity Ecosystem” – where individuals, organizations, and underlying infrastructure – such as routers and servers – can be authoritatively authenticated. The goals of the Strategy are to protect individuals, businesses, and public agencies from the high costs of cyber crimes like identity theft and fraud, while simultaneously helping to ensure that the Internet continues to support innovation and a thriving marketplace of products and ideas.

The Strategy was developed with substantial input from the private sector and the public. It calls for the effort to be led by the private sector, in partnership with the federal government…